FORTINET FORTIGATE

AND IBM QRADAR

DEPLOYMENT GUIDE
DEPLOYMENT GUIDE: FORTINET FORTIGATE AND IBM QRADAR

CONTENTS

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Deployment Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Architecture Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

QRadar Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Fortinet Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

2
DEPLOYMENT GUIDE: FORTINET FORTIGATE AND IBM QRADAR

OVERVIEW
The Fortinet FortiGate App for QRadar provides visibility thousands of devices, endpoints and applications distributed
of FortiGate logs on traffic, threats, system logs and throughout a network. It then uses an advanced Sense
performance statistics, wireless AP and VPN. It displays Analytics engine to normalize and correlate this data and
top contributors to threats and traffic based on subtypes, identifies security offenses requiring investigation. As an
service, user, IP, etc. The app also shows system, wireless, option, it can incorporate IBM X-Force® Threat Intelligence
VPN events and performance statistics. Users can dive which supplies a list of potentially malicious IP addresses
into each view to show the relevant logs by clicking on including malware hosts, spam sources and other threats.
the charts. 35 customized properties, some of which may QRadar SIEM is available on premises and in a cloud
already exist in Fortinet Content Pack, have been defined/ environment.
re-defined to better interpret FortiGate logs.
DEPLOYMENT PREREQUISITES
Fortinet (NASDAQ: FTNT) is a global provider of high-
1. Fortinet FortiGate version 5.4 or newer
performance network security and specialized security
solutions that provide our customers with the power to 2. Fortinet FortiAnalyzer Content Pack for QRadar
protect and control their IT infrastructure. Our purpose- 3. Fortinet FortiGate App for QRadar
built, integrated security technologies, combined with
4. QRadar version 7.2.8 or newer (tested with 7.2.8 Build
our FortiGuard security intelligence services, provide the 20160920132350)
high performance and complete content protection our
5. IBM X-Force (formerly App Exchange) username and
customers need to stay abreast of a constantly evolving password
threat landscape.
The Fortinet Security Fabric brings together all
components in your network. It is Broad, Powerful and
Automated. In addition to Fortinet products, the Security
Fabric also integrates with 3rd Party partners to extend
the power of the Security Fabric to other parts of an
organization. For more information regarding our Security
Fabric Partners, please refer tour Technology Alliances
here: https://www.fortinet.com/partners/partnerships/
alliance-partners.html
IBM (NYSE: IBM) Security offers one of the most advanced
and integrated portfolios of enterprise security products
and services. The portfolio, supported by world-renowned
IBM X-Force® research, enables organizations to effectively
manage risk and defend against emerging threats. IBM
operates one of the world’s broadest security research,
development and delivery organizations, monitors 35
billion security events per day in more than 130 countries,
and holds more than 3,000 security patents.
IBM® QRadar® SIEM detects anomalies, uncovers
advanced threats and removes false positives. It
consolidates log events and network flow data from

3
DEPLOYMENT GUIDE: FORTINET FORTIGATE AND IBM QRADAR

Architecture Overview

QRADAR CONFIGURATION
Add a Log Source from Admin > Data Sources > Events > Log Sources

4
DEPLOYMENT GUIDE: FORTINET FORTIGATE AND IBM QRADAR

Configure the Log Source

For the Log Source Name enter a unique name
For the Log Source Type Select Fortinet FortiGate Security Gateway
For the Log Source Identifier enter the FortiGate IP address

From the Admin screen select Extensions Management

5
DEPLOYMENT GUIDE: FORTINET FORTIGATE AND IBM QRADAR

Click IBM Security App Exchange to launch the X-Force/App Exchange portal

Search for “Fortinet”

Download the Fortinet Content Pack for QRadar
Download the Fortinet FortiGate App for QRadar

Install the Content Pack and then the FortiGate App from the Extensions Management screen by clicking Add

6
DEPLOYMENT GUIDE: FORTINET FORTIGATE AND IBM QRADAR

Browse for the Content Pack file downloaded previously then click Add
Select Overwrite if some customized properties already exist

Do the same for the FortiGate App

FORTINET CONFIGURATION
Configure FortiGate to send Syslog to the QRadar IP address
Under Log & Report click Log Settings

7
DEPLOYMENT GUIDE: FORTINET FORTIGATE AND IBM QRADAR

Enable Send Logs to Syslog

Enter the IP Address or FQDN of the QRadar server
Select the desired Log Settings
Click Save

Note: If the primary Syslog is already configured you can use the CLI to configure additional Syslog servers

The configuration is now complete

8
DEPLOYMENT GUIDE: FORTINET FORTIGATE AND IBM QRADAR

DISPLAY DASHBOARDS
User can select different time ranges up to last 30 days, which may take longer to display but progress will be shown during the wait. The
server will cache the result for a while for revisit. Results of last 30 days are cached for 12 hours, other ranges by the hours cached for 2
hours and shortest is 5 minutes.

THREAT DASHBOARD

TRAFFIC DASHBOARD

9
DEPLOYMENT GUIDE: FORTINET FORTIGATE AND IBM QRADAR

SYSTEM DASHBOARD

WIRELESS DASHBOARD

10
DEPLOYMENT GUIDE: FORTINET FORTIGATE AND IBM QRADAR

VPN DASHBOARD

SUMMARY

The Fortinet FortiGate App for QRadar has been designed to improve the capabilities and user experience for IBM QRadar users within
environments using Fortinet FortiGate solutions. The app provides additional visibility into FortiGate logs in the QRadar Ariel DB including
traffic, threats and system logs through a series of tabs and dashboards from within the QRadar GUI. The app displays top contributors
to threats and traffic based on variables including service, user, IP address and subtypes e.g. Web Filter, Anti-Virus, IPS and Application
Control. The app also displays performance statistics for the FortiGate system including Wireless Access Points and VPN events. QRadar
users can drill down into each view to show the relevant logs by clicking on the charts, with the ability to select different time ranges up
to the last 30 days. The app includes 35 customized properties, some of which were already available in Fortinet QRadar Content Pack,
however these have been defined/re-defined to better interpret FortiGate logs.

Solution Guide: https://www.fortinet.com/content/dam/fortinet/assets/alliances/user-guide-fortigate-app.pdf

IBM X-Force (formerly App Exchange): https://exchange.xforce.ibmcloud.com/hub

Note: The Fortinet FortiGate App for QRadar version 1.0.0 supports FortiGate versions 5.4 and older. Version 1.0.1 supports FortiGate
versions 5.6 and older.

11
DEPLOYMENT GUIDE: FORTINET FORTIGATE AND IBM QRADAR

GLOBAL HEADQUARTERS EMEA SALES OFFICE APAC SALES OFFICE LATIN AMERICA HEADQUARTERS
Fortinet Inc. 905 rue Albert Einstein 300 Beach Road 20-01 Sawgrass Lakes Center
899 Kifer Road 06560 Valbonne The Concourse 13450 W. Sunrise Blvd., Suite 430
Sunnyvale, CA 94086 France Singapore 199555 Sunrise, FL 33323
United States Tel: +33.4.8987.0500 Tel: +65.6513.3730 Tel: +1.954.368.9990
Tel: +1.408.235.7700
www.fortinet.com/sales

Copyright © 2017 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be registered and/or common law
trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other
results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied,
except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in
such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal
lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most
current version of the publication shall be applicable. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this
publication without notice, and the most current version of the publication shall be applicable.
115271-0-0-EN August 23, 2017